Share via

Unable to onboard machine from on premise to Azure Arc using Arc private link scope

Ajit Sane 0 Reputation points
2025-12-12T07:11:33.63+00:00

Hello,

I am trying to onboard a machine from on premise to Azure Arc using private link scope. I have followed the recommendations from MS to setup things.

At on premise we have an environment connected to Azure via Azure Sit to site VPN, we have a dns forwarder configured for forwarding the requests for below domains to dns forwarder at the Azure end.

his.arc.azure.com

guestconfiguration.azure.com

dp.kubernetesconfiguration.azure.com

A dns forwarder on the Azure end is configured to forward these requests to Azure dns(168.63.129.16).

On the Azure, we have private link scope setup with private endpoint and dns zones.

Dns setup is working fine, from onpremise machine above domains resolves to private ip addresses.

But when running the onboarding script, getting below errors.

msg="AZCM0081: Failed to Get MSI Certificate from HIS"

msg="failed to retrieve MSI cert: 403 Forbidden{"error":{"code":"HCRP403","message":"Access to the specified resource from Public Internet is disallowed.

Note: Tried with and without proxy enabled on the machine, both failed.

Please let us know is there any additional setup required to resolve the issue.

Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-12-12T07:11:52.5266667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    It seems that you are encountering issues with onboarding your machine to Azure Arc using a private link scope, specifically with the error messages related to accessing the Managed Service Identity (MSI) certificate. Here are some troubleshooting steps you can consider:

    1. Check Firewall Rules: Ensure that your local network firewall allows outbound traffic to the necessary Azure services. You need to confirm that you have added the Microsoft Entra ID and Resource Manager service tags to your local network firewall. This is essential for the agent to communicate with these services over the internet until private endpoints are fully operational.
    2. DNS Configuration: Since you mentioned that DNS resolution is working fine and resolves to private IP addresses, double-check that the DNS configuration is correctly set up for all required domains. You can use the nslookup command to ensure that the domains resolve correctly to the private IPs. 
         nslookup gbl.his.arc.azure.com
   nslookup agentserviceapi.guestconfiguration.azure.com
    3. MSI Access: The error "403 Forbidden" indicates that access to the specified resource from the public internet is disallowed. Make sure that the Azure resources you are trying to access allow connections from your private link scope. You might need to review the permissions and access policies associated with the Managed Identity.
    4. Proxy Settings: Since you mentioned trying with and without proxy enabled, ensure that the proxy settings are correctly configured if you are using a proxy. Sometimes, incorrect proxy settings can lead to connectivity issues.
    5. Review Azure Private Endpoint Configuration: Ensure that the private endpoint is correctly associated with the Azure Arc private link scope and that it is configured to allow traffic from your on-premises network.

    If the issue persists after checking these configurations, you may want to consult the Azure documentation for further troubleshooting steps or reach out to Azure support for more specific assistance.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.